I just discovered that my university alumni's login page is just plain HTTP. Wireshark confirmed that the credentials are sent using an HTTP POST message. I did a bit of research and, as I thought, ...

We found a security vulnerability in a widespread product of big IT company (the company is listed as a CNA here: http://cve.mitre.org/cve/cna.html#participating_cnas).
We notified the company, they ...

I'm employed as a consultant at a big tech consultancy. I recently noticed a major flaw in their website, they send my login credentials in plain text over HTTP. I verified this by doing a outbound ...

So it's a fairly simple question. When offering an avenue to security researchers for communication with us regarding disclosure of security vulnerabilities, what's the best way to do so?
Assume we ...

Apologies if this is not the right place to ask this question, I will happily move it to another Stack Exchange site if need be.
Before I explain the rationale behind the question, let me clear up a ...

Being on the company security email list, I get emails with some regularity complaining about email discovery on various forms on my employers website. The reporters are complaining about things like ...

I have asked about security release notes Considerations for security release notes
I need additional clarification about security vulnerabilities announcement.
We create major release of our product ...

I need help with understanding how to manage security release notes for our product.
We create major release of our product about each half years and security or maintenance releases each month.
What ...

I'm not a hacker but recently I was able to get someone's email password. I want to teach him a lesson to be careful when using internet and to pay attention to his passwords but I have some problems:
...

As a conscientious programmer, I put security as one of the core requirements of every product I develop. To prevent flaws from being introduced, I promote a culture of awareness (e.g. make sure that ...

Lots of websites like Google, Facebook etc acknowledge the white hat hackers on their sites for reporting security vulnerability. But for the vulnerability reporter is it safe from legal perspective ? ...

I'd like advice on how and where to announce an XSS vulnerability (persistent XSS to be exact). My greatest fear is the announcement getting snowed under, thus rendering the disclosure ineffective in ...

I was afraid reading this: This $299 tool is reportedly capable of decrypting BitLocker, PGP, and TrueCrypt disks in real-time. It seems to me that PGP and other sensible tools have to lock memory to ...

I recently discovered a publicly accessible web interface to a highly sensitive bit of lab equipment, the malfunction of which would result in potential loss of life or serious health concerns to a ...

I've noticed that Stack Exchange always reveals the detailed structure of its servers and systems (see these blog posts). And also the exact results of their tests and points of weakness (see the old ...

In my spare time I write some PHP code the purpose of which is to block link spam and other various malicious activity.
On May 11 someone who discovered an XSS vulnerability in the WordPress version ...

I have found out recently that the remote assistant software that we put in a smartphone we sell can be activated by us without user approval.
We are not using this option, and it is probably there ...

I ordered a product from a website and found that their invoice display page is completely un-protected with the order id in the query string and merely incrementing the number exposes every order. ...

I've encountered a strange thing. I connected to an open Wi-Fi, then I was just fooling around. First, I visited 192.168.0.1 and it was a router configuration page but default password didn't work.
...

There are articles on the Internet (e.g. this) that claim that the FBI/CIA injected security backdoors into OpenBSD.
I'd like to know if there are any other references to this issue. This would help ...

My understanding is that open source systems are commonly believed to be more secure than closed source systems.
Reasons for taking either approach, or combination of them, include: cultural norms, ...

In A Comparison of Market Approaches to Software Vulnerability Disclosure (2006), Rainer Böhme describes the profound role of economic "market failure" in the industry dynamics that hinder software ...